7. Spring Boot + Spring Security 短信功能(验证)
1.SmsAuthenticationFilter用于验证短信登陆信息,并且把信息封装到SmsAuthenticationToken!
2.将生成的SmsAuthenticationToken发送到AuthenticationManager中,AutenticationManager会从所有的Token中 选取一个进行验证比对
3.SmsAuthenticationProvider调用UserDetailsService进行具体的Token逻辑验证比对
- SmsCodeAuthenticationFilter继承AbstractAuthenticationProcessingFilter,并且改成自己自己的Filter
package com.imooc.security.core.authentication.moblie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public static final String IMOOC_FROM_mobile_KEY = "mobile";
private String mobileParmeter = IMOOC_FROM_mobile_KEY;
private boolean postOnly = true;
// ~ Constructors
// ===================================================================================================
public SmsCodeAuthenticationFilter() {
super(new AntPathRequestMatcher("/authentication/mobile", "POST"));
}
// ~ Methods
// ========================================================================================================
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String mobile = obtainmobile(request);
if (mobile == null) {
mobile = "";
}
mobile = mobile.trim();
SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
/**
* 获取前端传入的手机号
*/
protected String obtainmobile(HttpServletRequest request) {
return request.getParameter(mobileParmeter);
}
/**
* 将请求的ip sessionID 等设置到验证请求里面去
*
* @param request that an authentication request is being created for
* @param authRequest the authentication request object that should have its details
* set
*/
protected void setDetails(HttpServletRequest request,
SmsCodeAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
/**
* Defines whether only HTTP POST requests will be allowed by this filter. If set to
* true, and an authentication request is received which is not a POST request, an
* exception will be raised immediately and authentication will not be attempted. The
* <tt>unsuccessfulAuthentication()</tt> method will be called as if handling a failed
* authentication.
* <p>
* Defaults to <tt>true</tt> but may be overridden by subclasses.
*/
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
}
- SmsCodeAuthenticationProvider继承AuthenticationProvider
package com.imooc.security.core.authentication.moblie;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
/**
* @author cjj
* @date 2019年1月29日
* @email [email protected]
* @blog blog.csdn.net/qq_29451823
*/
public class SmsCodeAuthenticationProvider implements AuthenticationProvider{
private UserDetailsService userDetailsService;
/**
* 进行身份认证的逻辑
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken)authentication;
UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
if(user == null) {
throw new InternalAuthenticationServiceException("无法获取用户信息");
}
//token 认证
SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user,user.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
/**
* 在AuthenticationManageer里面挑选一个Provider 来处理传进来的token
*/
@Override
public boolean supports(Class<?> authentication) {
// 判断传入的authentication是不是SmsCodeAuthenticationToken这种类型的
return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
}
public UserDetailsService getUserDetailsService() {
return userDetailsService;
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}
- SmsCodeAuthenticationToken
package com.imooc.security.core.authentication.moblie;
import java.util.Collection;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;
/**
* 封装用户信息(登陆前或者登陆后)
* @author cjj
* @date 2019年1月29日
* @email [email protected]
* @blog blog.csdn.net/qq_29451823
*/
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken{
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
// ~ Instance fields
// ================================================================================================
private final Object principal;
// ~ Constructors
// ===================================================================================================
/**
* This constructor can be safely used by any code that wishes to create a
* <code>UsernamePasswordAuthenticationToken</code>, as the {@link #isAuthenticated()}
* will return <code>false</code>.
*
*/
public SmsCodeAuthenticationToken(String mobile) {
super(null);
this.principal = mobile;
setAuthenticated(false);//是否认证
}
/**
* This constructor should only be used by <code>AuthenticationManager</code> or
* <code>AuthenticationProvider</code> implementations that are satisfied with
* producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
* authentication token.
*
* @param principal
* @param credentials
* @param authorities
*/
public SmsCodeAuthenticationToken(Object principal,
Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
super.setAuthenticated(true); // must use super, as we override
}
// ~ Methods
// ========================================================================================================
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
public Object getPrincipal() {
return this.principal;
}
@Override
public Object getCredentials() {
return null;
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
- SmsCodeAuthenticationSecurityConfig进行文件配置
package com.imooc.security.core.authentication.moblie;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.stereotype.Component;
/**
* 短信验证码的安全配置
* @author cjj
* @date 2019年1月29日
* @email [email protected]
* @blog blog.csdn.net/qq_29451823
*/
@Component("smsCodeAuthenticationSecurityConfig")
public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>{
@Autowired
private AuthenticationSuccessHandler imoocAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler imoocAuthenticationFailureHandler;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(HttpSecurity http) throws Exception {
SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(imoocAuthenticationSuccessHandler);
smsCodeAuthenticationFilter.setAuthenticationFailureHandler(imoocAuthenticationFailureHandler);
SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(smsCodeAuthenticationProvider)
.addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
- 然后在BrowserSecurityConfig里面加入SmsCodeAuthenticationSecurityConfig配置文件
package com.imooc.security.browser;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import com.imooc.security.core.authentication.moblie.SmsCodeAuthenticationSecurityConfig;
import com.imooc.security.core.properties.SecurityProperties;
import com.imooc.security.core.validate.code.SmsCodeFilter;
import com.imooc.security.core.validate.code.ValidateCodeFilter;
/**
*
* @author cjj
* @date 2018年9月26日
* @email [email protected]
* @blog blog.csdn.net/qq_29451823
*/
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;
@Autowired
private SecurityProperties securityProperties;
@Autowired
private AuthenticationSuccessHandler imoccAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler imoccAuthenticationFailUrlHandler;
@Autowired
private DataSource dataSource;
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
tokenRepositoryImpl.setDataSource(dataSource);
//tokenRepositoryImpl.setCreateTableOnStartup(true);//自动创建用户信息表
return tokenRepositoryImpl;
}
/**
* 处理密码加密解密
* @return
*/
@Bean
public PasswordEncoder passwordEncode() {
//PasswordEncoder的一个实现类
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
validateCodeFilter.setAuthenticationFailureHandler(imoccAuthenticationFailUrlHandler);
validateCodeFilter.setSecurityProperties(securityProperties);
validateCodeFilter.afterPropertiesSet();
SmsCodeFilter smsCodeFilter = new SmsCodeFilter();
smsCodeFilter.setAuthenticationFailureHandler(imoccAuthenticationFailUrlHandler);
smsCodeFilter.setSecurityProperties(securityProperties);
smsCodeFilter.afterPropertiesSet();
http.addFilterBefore(smsCodeFilter,UsernamePasswordAuthenticationFilter.class)//smsCodeFilter过滤器加载到用户名密码过滤器校验的前面
.addFilterBefore(validateCodeFilter,UsernamePasswordAuthenticationFilter.class)//validatecodeFilter过滤器加载到用户名密码过滤器校验的前面
.formLogin()//表单认证
.loginPage("/authentication/require")//添加自定义登陆界面
.loginProcessingUrl("/authentication/from")//这个URL用UsernamePasswordAuthenticationFilter来处理
.successHandler(imoccAuthenticationSuccessHandler)
.failureHandler(imoccAuthenticationFailUrlHandler)
.and()
//配置记住我
.rememberMe()
.tokenRepository(persistentTokenRepository())
.tokenValiditySeconds(securityProperties.getBrowser().getRemeberMeSeconds())
.userDetailsService(userDetailsService)
//http.httpBasic()//弹出框认证
.and()
.authorizeRequests()//对请求做一个授权
.antMatchers("/authentication/require"
,securityProperties.getBrowser().getLoginPage()
,"/code/*").permitAll()//访问这个页面的时候不需要授权
.anyRequest()//任何请求
.authenticated()//身份认证
.and()
.csrf().disable()//关闭跨站请求伪造
.apply(smsCodeAuthenticationSecurityConfig);
}
}
- 效果展示
不输入短信验证码直接登陆
输入错误的短信验证码
发送短信验证码后,后台会受到一个6位数字的短信验证码(这儿是手动随机模拟生成),然后输入正确的短信验证码,这儿是设置将Token信息发送到前台页面
如果重复页面验证,就是返回登陆页面,再登陆一次
注解:整体代码有一个重复的地方,需要重构。